Cloudflare Reveals Uber, OKCupid Data Exposed by Wide-Reaching Flaw

(CBS NEWS) Usernames and passwords leaked onto the open internet earlier this month due to a security bug that affected 3,400 websites, including popular services like Uber, Fitbit and OKCupid, according to a disclosure Thursday by cybersecurity company Cloudflare.

You wouldn’t mind if someone could break into the personal accounts you use to track your movements, fitness and love life, would you?

While there’s no indication hackers actually accessed usernames and passwords, as well as a slew of other private information sent by users over the services, the information was exposed both on corrupted versions of the websites and in cached results on search services like Google and Bing.

“The bug was serious because the leaked memory could contain private information and because it had been cached by search engines,” John Graham-Cumming, Cloudflare’s chief technical officer, wrote in a blog post detailing the flaw.

Google security researcher Tavis Ormandy identified the flaw on Friday. In his report about the bug, which also became public on Thursday, he said he found “private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings.”

The flaw originated in a widely used tool provided by Cloudflare, which was meant to help manage and protect internet traffic for the affected websites. In addition to usernames and passwords, messages sent over any of these platforms -- and any other information sent via web browser to the affected sites -- could have been exposed.

Uber and Fitbit didn’t respond to requests for comment. OKCupid didn’t provide a comment. Graham-Cumming said 3,400 total websites were using the tool that contained the flaw and confirmed these three were among those affected. But he declined to name any other services that might have had user data leak due to the problem.

A trickle of data, and then a surge

The flaw is now fixed and the leaked information has been purged from search engines, meaning it’s no longer exposed on the internet. After Ormandy identified the problem and notified Cloudflare on Friday, the company set up a team to fix the problem in a matter of hours. The flaw has been resolved since Saturday.

The information was exposed in bits and pieces as users interacted with the affected websites starting in September. The leak peaked in the week of Feb. 13-17, Graham-Cumming said in an interview. The information would appear on the webpage in a seeming string of nonsense, which users would most likely not know how to interpret, Graham-Cumming said. The data leakage was “ephemeral” because it would disappear the second a user closed the web page.

More worryingly, though, the leaked information was also cached by search engines like Google and Bing as they crawled the web and encountered the corrupted web pages.

After fixing the flaw, Cloudflare focused on erasing any trace of the leaked information from the internet. That meant working with search engines to purge the cached records of the corrupted webpages.

What’s the danger?

Graham-Cumming said users don’t need to worry about changing their passwords, because there is a very low chance that their login information was found by someone who knew where to look for it.

However, in his report of the bug, Google researcher Ormandy said Cloudflare’s disclosure “severely downplays the risk to [Cloudflare] customers.” Ormandy was referring to a draft of the disclosure he saw before Cloudflare went public with the news on Thursday.

It’s not clear whether Ormandy thinks end-user information is more vulnerable than Cloudflare is saying. Ormandy did not respond to questions about whether end-users of the affected websites should change their passwords or if they should be concerned about any other pieces of information that could have been exposed.